feat(seinode): in-place TLS enable on Running SeiNodes

[bdchatham]

Summary

• Operators can now add spec.sidecar.tls.secretName to an existing Running SeiNode; the controller composes a NodeUpdate-style plan that cycles the pod with the kube-rbac-proxy mount.
• Builds on feat(seinode): sidecar TLS via externally-provisioned Secret #258's externalized-cert foundation. Disable and swap remain CEL-rejected — set-once semantics, not full mutability.
• Mid-rollout transport-mode windowing (the bug that bit closed PR feat(planner): TLS toggle on Running SeiNodes via NodeUpdate plan #254) is closed by sourcing transport from observed status.currentSidecarTLSSecretName rather than spec.

Closes #262.

Design

Surface	Behavior
CEL on spec.sidecar.tls	nil → set allowed; set → nil (disable) and A → B (swap) rejected
Status.CurrentSidecarTLSSecretName	Mirror stamped by ObserveSidecarTLS after rollout convergence (ReadyReplicas >= *Replicas)
SidecarURLForNode + cmd/main.go newSidecarClient	Both key on the same observed status field — lockstep transport flip
sidecarTLSEnableDrift	Narrow detector: spec set + status empty + preflight Ready
buildNodeUpdatePlan	Composes image-drift + TLS-enable drift in one pod cycle
Init plans (base / bootstrap / genesis)	Inject ObserveSidecarTLS between StatefulSet apply and first sidecar HTTP task
classifyPlan labels	New: tls-enable, node-update-tls-enable

LLD §0.1(b), §4, §5, §6 rewritten in this PR to reflect set-once semantics — the original LLD said immutable; un-deferred per operator validation that per-node delete+recreate is more friction than warranted.

Cross-review

Trio (platform / kubernetes / security) ran against 77a28c1. Three commits address findings:

• 77a28c1 — implementation
• e28c92b — round-1 fixups (cmd/main.go transport gate, ReadyReplicas check, classifyPlan separator, nil-guard, LLD rewrite)
• 1f33673 — comment sweep

Blockers addressed:

• k8s: cmd/main.go newSidecarClient was gated on spec while SidecarURLForNode reads status — divergence would break mid-rollout (in-place enable) and Phase-2 bootstrap (mTLS doer against HTTP bootstrap pod). Switched gating predicate to Status.CurrentSidecarTLSSecretName != "".
• security: Status field drives transport — audit confirms seinodes/status patch RBAC is scoped to the controller SA only. Documented as load-bearing trust assumption in LLD §0.1(b). Defense-in-depth admission policy tracked as Harden status.currentSidecarTLSSecretName writes via ValidatingAdmissionPolicy #263.
• platform + security: LLD §0.1(b)/§4/§5/§6 said this work was "explicitly rejected." Rewrote to reflect set-once semantics, transport-mode invariant, and the design-history evolution across feat(seinode): sidecar TLS via externally-provisioned Secret #258 → Enable TLS on existing Running SeiNodes via in-place plan #262.

Non-blocker fixups applied:

• ObserveSidecarTLS now requires ReadyReplicas >= *Replicas (k8s) — stricter than ObserveImage because stamping flips transport
• classifyPlan label node-update+tls-enable → node-update-tls-enable (security; avoids PromQL regex footgun)
• sidecarTLSEnableDrift has explicit nil-guard (k8s)
• buildBasePlan adjacent SidecarTLSEnabled blocks consolidated (platform)
• Bootstrap ObserveSidecarTLS placement comment clarifies Phase-2 vs Phase-5 (k8s)
• Test comment contradiction fixed (k8s)
• Added SidecarURLForNode tests for both mid-rollout quadrants

Deferred (tracked):

• Harden status.currentSidecarTLSSecretName writes via ValidatingAdmissionPolicy #263 — ValidatingAdmissionPolicy on seinodes/status writes (defense in depth)
• Envtest harness for CEL transitions (future infra)
• Shared rollout-readiness primitive between ObserveImage and ObserveSidecarTLS (lift if a third observer lands)

Test plan

• make test — full suite green
• golangci-lint run --new-from-rev=origin/main ./... — 0 issues
• make manifests generate — CRD diff is additive (new field optional, CEL change is a relaxation)
• Unit: sidecarTLSEnableDrift matrix (fires / converged / not-ready / disabled)
• Unit: plan composition across (image-only, tls-only, both) on Running nodes
• Unit: init-plan ObserveSidecarTLS placement (after ApplyStatefulSet, before ConfigApply)
• Unit: SidecarURLForNode mid-rollout quadrants (spec-set/status-empty stays HTTP; status-set drives HTTPS)
• Unit: ObserveSidecarTLS crashlooping-proxy scenario (UpdatedReplicas=1, ReadyReplicas=0 → stays Running)
• Unit: classifyPlan new labels
• Unit: condition lifecycle on TLS-enable plans (sets and clears)
• envtest: CEL allows nil→set, rejects set→nil + A→B (deferred — envtest harness not yet in repo)
• End-to-end on harbor: patch spec.sidecar.tls.secretName on a Running SeiNode with a pre-applied Secret; pod cycles; serves on :8443

References

• Enable TLS on existing Running SeiNodes via in-place plan #262 — tracking issue
• feat(seinode): sidecar TLS via externally-provisioned Secret #258 — externalized-cert foundation (merged)
• docs/design-seinode-sidecar-tls-toggle-lld.md — LLD revised in this PR

🤖 Generated with Claude Code

[cursor]

You have used all Bugbot PR reviews included in your free trial for your GitHub account on this workspace.

To continue using Bugbot reviews, enable Bugbot for your team in the Cursor dashboard.

[bdchatham]

Closing — directional pivot. We're removing sidecar TLS management from the controller entirely. Rationale: controller↔sidecar runs on the private K8s cluster network; TLS termination doesn't earn its keep here. kube-rbac-proxy stays for its SAR-based authz value (in --insecure-listen-address HTTP mode); all cert provisioning, Secret reference contract, preflight SAN validation, status mirror, and CEL immutability surface go away.

Subtraction PR incoming.